Doctor’s offices have a mission-to take care of their patients. This focus is on the patient’s mind also as the person is sitting in the doctor’s office waiting. One way to streamline operations and potentially improve cash flow is to outsource the billing function. There are many firms focused on efficiently billing for the doctor’s services. These businesses, due to their operations, hold much of the same data as the doctor’s offices. These businesses also derive income as they process the claims. These two factors make these businesses perfectly viable targets. One such business was Doctor’s Management Services (DMS). DMS is based in Massachusetts. The business primary mission is to provide medical billing and services to their clients, the doctor’s offices and hospitals.
The initial stages of the attack occurred on April 1, 2017. The attack vector was a remote desktop protocol attack through an endpoint. This was detected on Christmas Eve, 2018. When the files were encrypted and the staff was not able to access them, the management knew they had a rather significant problem. The business hired forensic professionals to investigate the incident. Through the investigation, the malware was determined to be GandCrab.
Unfortunately, this did not affect only one client. This affected 38 different practices. The patient’s PII could have been compromised as part of this compromise. This includes, much to the patient’s detriment, their name, address, date of birth, social security number, driver’s license number, Medicare/Medicaid information, and other medical information. This does not necessarily mean the patient’s PII had been accessed, however, I would be willing to presume it has. Otherwise, why would the attackers be seeking to breach their security. The business did report this to the HHS per HIPAA regulation. The business also notified the persons whose PII was affected.
As expected, the business was given a ransom amount. Once paid the decrypt key would be provided. The business refused to pay. This is generally the optimal route, given the opportunity for more malicious acts. The business elected to use their back-ups and rebuild the files.
Clearly there was a need for improvement with this situation. The business updated its network security and limited the access to the system from IPs outside of their organization. There was also additional staff training, to assist in the attempt to remove, as much as possible, the potential for this to occur again.
The attackers appear to have had unfettered access to the system from April 1 through December 24, 2018. This is an exceptionally long time for an unauthorized third party to have full access to the system and not be noticed by the SIEM and InfoSec personnel. The question in the mind of many is what did the business have in place that did not work at all?
Cyware. (2019, April 25). Doctor’s management service hit with gandcrab ransomware attack compromising patient data. Retrieved from https://cyware.com/news/doctors-management-service-hit-with-gandcrab-ransomware-attack-compromising-patient-data-b6eebd02
Davis, J. (2019, April 25). Medical billing service reports April 2017 ransomware attack. Retrieved from https://healthitsecurity.com/news/medical-billing-service-reports-april-2017-ransomware-attack
Dissent. (2019, April 24). MA: Medical billing services notifies patients of ransomware incident. Retrieved from https://www.databreaches.net/ma-medical-billing-service-notifies-patients-of-ransomware-incident/
Jones, K. (2019, July 19). Gandcrab in huge profit as SMBv1 exploit is dismissed. Retrieved from https://hackercombat.com/gandcrab-in-huge-profit-as-smbv1-exploit-is-dismissed/
Olenick, D. (2019, April 25). GandCrab ransomware strikes doctor’s management services. Retrieved from https://www.scmagazine.com/home/security-news/ransomware/gandcrb-ransomeware-strikes-doctors-management-services/
Sowells, J. (2019, April 28). Another healthcare firm falls victim to gandcrab ransomware. Retrieved from https://hackercombat.com/another-healthcare-firm-falls-victim-to-gandcrab-ransomware/
Truta, F. (2019, April 25). GandCrab ransomware claims another healthcare firm. Retrieved from https://securityboulevard.com/2019/04/gandcrab-ransomware-claims-another-healthcare-firm
Woods, A. (2019, April 29). GandCrab attack on doctor’s management service exposed patient data. Retrieved from https://www.2-spyware.com/gandcrab-attack-on-doctors-management-service-exposed-patient-data
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!